scroll identifier for mobile
main-content

## Über dieses Buch

This book constitutes the refereed proceedings of the 15th International Conference on Cryptology and Network Security, CANS 2016, held in Milan, Italy, in November 2016.

The 30 full papers presented together with 18 short papers and 8 poster papers were carefully reviewed and selected from 116 submissions. The papers are organized in the following topical sections: cryptanalysis of symmetric key; side channel attacks and implementation; lattice-based cryptography, virtual private network; signatures and hash; multi party computation; symmetric cryptography and authentication; system security, functional and homomorphic encryption; information theoretic security; malware and attacks; multi party computation and functional encryption; and network security, privacy, and authentication.

## Inhaltsverzeichnis

### Linear Regression Attack with F-test: A New SCARE Technique for Secret Block Ciphers

The past ten years have seen tremendous progress in the uptake of side channel analysis in various applications. Among them, Side Channel Analysis for Reverse Engineering (SCARE) is an especially fruitful area. Taking the side channel leakage into account, SCARE efficiently recovers secret ciphers in a non-destructive and non-intrusive manner. Unfortunately, most previous works focus on customizing SCARE for a certain type of ciphers or implementations. In this paper, we ask whether the attacker can loosen these restrictions and reverse secret block ciphers in a more general manner. To this end, we propose a SCARE based on Linear Regression Attack (LRA), which simultaneously detects and analyzes the power leakages of the secret encryption process. Compared with the previous SCAREs, our approach uses less a priori knowledge, covers more block cipher instances in a completely non-profiled manner. Moreover, we further present a complete SCARE flow with realistic power measurements of an unprotected software implementation. From traces that can barely recognize the encryption rounds, our experiments demonstrate how the underlying cipher can be recovered step-by-step. Although our approach still has some limitations, we believe it can serve as an alternative tool for reverse engineering in the future.

Si Gao, Hua Chen, Wenling Wu, Limin Fan, Jingyi Feng, Xiangliang Ma

### Compact Representation for Division Property

The division property, which is a new method to find integral characteristics, was proposed at Eurocrypt 2015. Thereafter, some applications and improvements have been proposed. The bit-based division property is also one of such improvements, and the accurate integral characteristic of Simon32 is theoretically proved. In this paper, we propose the compact representation for the bit-based division property. The disadvantage of the bit-based division property is that it cannot be applied to block ciphers whose block length is over 32 because of high time and memory complexity. The compact representation partially solves this problem, and we apply this technique to 64-bit block cipher PRESENT to illustrate our method. We can accurately evaluate the propagation characteristic of the bit-based division property thanks to the compact representation. As a result, we find 9-round integral characteristics, and the characteristic is improved by two rounds than previous best characteristic. Moreover, we attack 12-round PRESENT-80 and 13-round PRESENT-128 by using this new characteristic.

Yosuke Todo, Masakatu Morii

### An Automatic Cryptanalysis of Transposition Ciphers Using Compression

Automatically recognising valid decryptions as a result of ciphertext only cryptanalysis of simple ciphers is not an easy issue and still considered as a taxing problem. In this paper, we present a new universal compression-based approach to the automatic cryptanalysis of transposition ciphers. In particular, we show how a Prediction by Partial Matching (PPM) compression model, a scheme that performs well at many language modelling tasks, can be used to automatically recognise the valid decrypt with a 100 % success rate. We also show how it significantly outperforms another compression scheme, Gzip. In this paper, we propose a full mechanism for the automatic cryptanalysis of transposition ciphers which also automatically adds spaces to decrypted texts, again using a compression-based approach, in order to achieve readability.

Noor R. Al-Kazaz, Sean A. Irvine, William J. Teahan

### Side-Channel Attacks on Threshold Implementations Using a Glitch Algebra

Threshold implementations allow to implement circuits using secret sharing in a way to thwart side-channel attacks based on probing or power analysis. It was proven they resist to attacks based on glitches as well. In this report, we show the limitations of these results. Concretely, this approach proves security against attacks which use the average power consumption of an isolated circuit. But there is no security provided against attacks using a non-linear function of the power traces (such as the mean of squares or the majority of a threshold function), and there is no security provided for cascades of circuits, even with the power mean. We take as an example the threshold implementation of the AND function by Nikova, Rechberger, and Rijmen with 3 and 4 shares. We further consider a proposal for higher-order by Bilgin et al.

Serge Vaudenay

### Diversity Within the Rijndael Design Principles for Resistance to Differential Power Analysis

The winner of the Advanced Encryption Standard (AES) competition, Rijndael, strongly resists mathematical cryptanalysis. However, side channel attacks such as differential power analysis and template attacks break many AES implementations.We propose a cheap and effective countermeasure that exploits the diversity of algorithms consistent with Rijndael’s general design philosophy. The secrecy of the algorithm settings acts as a second key that the adversary must learn to mount popular side channel attacks. Furthermore, because they satisfy Rijndael’s security arguments, these algorithms resist cryptanalytic attacks.Concretely, we design a 72-bit space of SubBytes variants and a 36-bit space of ShiftRows variants. We investigate the mathematical strength provided by these variants, generate them in SageMath, and study their impact on differential power analysis and template attacks against field-programmable gate arrays (FPGAs) by analyzing power traces from the DPA Contest v2 public dataset.

Merrielle Spain, Mayank Varia

### NEON-SIDH: Efficient Implementation of Supersingular Isogeny Diffie-Hellman Key Exchange Protocol on ARM

We investigate the efficiency of implementing the Jao and De Feo isogeny-based post-quantum key exchange protocol (from PQCrypto 2011) on ARM-powered embedded platforms. In this work we propose new primes to speed up constant-time finite field arithmetic and perform isogenies quickly. Montgomery multiplication and reduction are employed to produce a speedup of 3 over the GNU Multiprecision Library. We analyze the recent projective isogeny formulas presented in Costello et al. (Crypto 2016) and conclude that affine isogeny formulas are much faster in ARM devices. We provide fast affine SIDH libraries over 512, 768, and 1024-bit primes. We provide timing results for emerging embedded ARM platforms using the ARMv7A architecture for the 85-, 128-, and 170-bit quantum security levels. Our assembly-optimized arithmetic cuts the computation time for the protocol by 50 % in comparison to our portable C implementation and performs approximately 3 times faster than the only other ARMv7 results found in the literature. The goal of this paper is to show that isogeny-based cryptosystems can be implemented further and be used as an alternative to classical cryptosystems on embedded devices.

Brian Koziel, Amir Jalali, Reza Azarderakhsh, David Jao, Mehran Mozaffari-Kermani

### Server-Aided Revocable Identity-Based Encryption from Lattices

Server-aided revocable identity-based encryption (SR-IBE), recently proposed by Qin et al. at ESORICS 2015, offers significant advantages over previous user revocation mechanisms in the scope of IBE. In this new system model, almost all the workloads on users are delegated to an untrusted server, and users can compute decryption keys at any time period without having to communicate with either the key generation center or the server.In this paper, inspired by Qin et al.’s work, we design the first SR-IBE scheme from lattice assumptions. Our scheme is more efficient than existing constructions of lattice-based revocable IBE. We prove that the scheme is selectively secure in the standard model, based on the hardness of the Learning with Errors problem. At the heart of our design is a “double encryption” mechanism that enables smooth interactions between the message sender and the server, as well as between the server and the recipient, while ensuring the confidentiality of messages.

Khoa Nguyen, Huaxiong Wang, Juanyang Zhang

### Speeding up the Number Theoretic Transform for Faster Ideal Lattice-Based Cryptography

The Number Theoretic Transform (NTT) provides efficient algorithms for cyclic and nega-cyclic convolutions, which have many applications in computer arithmetic, e.g., for multiplying large integers and large degree polynomials. It is commonly used in cryptographic schemes that are based on the hardness of the Ring Learning With Errors (R-LWE) problem to efficiently implement modular polynomial multiplication.We present a new modular reduction technique that is tailored for the special moduli required by the NTT. Based on this reduction, we speed up the NTT and propose faster, multi-purpose algorithms. We present two implementations of these algorithms: a portable C implementation and a high-speed implementation using assembly with AVX2 instructions. To demonstrate the improved efficiency in an application example, we benchmarked the algorithms in the context of the R-LWE key exchange protocol that has recently been proposed by Alkim, Ducas, Pöppelmann and Schwabe. In this case, our C and assembly implementations compute the full key exchange 1.44 and 1.21 times faster, respectively. These results are achieved with full protection against timing attacks.

Patrick Longa, Michael Naehrig

### An Efficient Lattice-Based Multisignature Scheme with Applications to Bitcoins

Multisignature schemes constitute important primitives when it comes to save the storage and bandwidth costs in presence of multiple signers. Such constructions are extensively used in financial applications such as Bitcoins, where more than one key is required in order to authorize Bitcoin transactions. However, many of the current state-of-the-art multisignature schemes are based on the RSA or discrete-log assumptions, which may become insecure in the future, for example due to the possibility of quantum attacks. In this paper we propose a new multisignature scheme that is built on top of the intractability of lattice problems that remain hard to solve even in presence of powerful quantum computers. The size of a multisignature is quasi optimal and our scheme can also easily be transformed into a more general aggregate signature scheme. Finally, we give an efficient implementation of the scheme which testifies its practicality and competitive capacity.

Rachid El Bansarkhani, Jan Sturm

### Breaking PPTP VPNs via RADIUS Encryption

We describe an efficient cross-protocol attack, which enables an attacker to learn the VPN session key shared between a victim client and a VPN endpoint. The attack recovers the key which is used to encrypt and authenticate VPN traffic. It leverages a weakness of the RADIUS protocol executed between a VPN endpoint and a RADIUS server, and allows an “insider” attacker to read the VPN traffic of other users or to escalate its own privileges with significantly smaller effort than previously known attacks on MS-CHAPv2.

Matthias Horst, Martin Grothe, Tibor Jager, Jörg Schwenk

### LEAP: A Next-Generation Client VPN and Encrypted Email Provider

As demonstrated by the revelations of Edward Snowden on the extent of pervasive surveillance, one pressing danger is in the vast predominance of unencrypted messages, due to the influence of the centralizing silos such as Microsoft, Facebook, and Google. We present the threat model and architectural design of the LEAP platform and client applications, which currently provisions opportunistic email encryption combined with a VPN tunnel and cross-device synchronization.

Elijah Sparrow, Harry Halpin, Kali Kaneko, Ruben Pollan

### Implementation State of HSTS and HPKP in Both Browsers and Servers

HSTS and HPKP are relatively recent protocols aimed to enforce HTTPS connections and allow certificate pinning over HTTP. The combination of these protocols improves and strengthens HTTPS security in general, adding an additional layer of trust and verification, as well as ensuring as far as possible that the connection is always secure. However, the adoption and implementation of any protocol that is not yet completely settled, usually involves the possibility of introducing new weaknesses, opportunities or attack scenarios. Even when these protocols are implemented, bad practices prevent them from actually providing the additional security they are expected to provide. In this document, we have studied the quantity and the quality of the implementation both in servers and in most popular browsers and discovered some possible attack scenarios.

Sergio de los Santos, Carmen Torrano, Yaiza Rubio, Félix Brezo

### Signer-Anonymous Designated-Verifier Redactable Signatures for Cloud-Based Data Sharing

Redactable signature schemes allow to black out predefined parts of a signed message without affecting the validity of the signature, and are therefore an important building block in privacy-enhancing cryptography. However, a second look shows, that for many practical applications, they cannot be used in their vanilla form. On the one hand, already the identity of the signer may often reveal sensitive information to the receiver of a redacted message; on the other hand, if data leaks or is sold, everyone getting hold of (redacted versions of) a signed message will be convinced of its authenticity.We overcome these issues by providing a definitional framework and practically efficient instantiations of so called signer-anonymous designated-verifier redactable signatures (AD-RS). As a byproduct we also obtain the first group redactable signatures, which may be of independent interest. AD-RS are motivated by a real world use-case in the field of health care and complement existing health information sharing platforms with additional important privacy features. Moreover, our results are not limited to the proposed application, but can also be directly applied to various other contexts such as notary authorities or e-government services.

David Derler, Stephan Krenn, Daniel Slamanig

### Group Signature with Deniability: How to Disavow a Signature

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, it is not always the case that we need to know the specific identity of the signature. In this paper, we propose the notion of deniable group signature, where the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We point out that existing efficient non-interactive zero-knowledge proof systems cannot be straightforwardly applied to prove such a statement. We circumvent this problem by giving a fairly practical construction through extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.

Ai Ishida, Keita Emura, Goichiro Hanaoka, Yusuke Sakai, Keisuke Tanaka

### Sandwich Construction for Keyed Sponges: Independence Between Capacity and Online Queries

We study the pseudo-random function (PRF) security of keyed sponges that use a sponge function with extendable outputs in a black-box way. “Capacity” is a parameter of a keyed sponge that usually defines a dominant term in the PRF-bound. The previous works have improved the capacity term in the PRF-bound of the “prefix” keyed sponge, where the key is prepended to an input message, and then the resultant value is inputted into the sponge function. A tight bound for the capacity term was given by Naito and Yasuda (FSE 2016): $$(qQ+q^2)/2^c$$(qQ+q2)/2c where c is the capacity, q is the number of online queries and Q is the number of offline queries. Thus the following question is naturally arisen: can we construct a keyed sponge with beyond the$$(q^2+qQ)/2^c$$(q2+qQ)/2cbound security?In this paper, we consider the “sandwich” keyed sponge, where the key is both prepended and appended to an input message, and then the resultant value is inputted into the sponge function. We prove that the capacity term becomes $$rQ/2^c$$rQ/2c for the rate r, which is usually $$r \ll q$$r≪q and $$r \ll Q$$r≪Q. Therefore, by the sandwich construction, the dependence between the capacity term and the number of online queries can be removed.

Yusuke Naito

### Secure Error-Tolerant Graph Matching Protocols

We consider a setting where there are two parties, each party holds a private graph and they wish to jointly compute the structural dissimilarity between two graphs without revealing any information about their private input graph. Graph edit distance (GED) is a widely accepted metric for measuring the dissimilarity of graphs. It measures the minimum cost for transforming one graph into the other graph by applying graph edit operations. In this paper we present a framework for securely computing approximated GED and as an example, present a protocol based on threshold additive homomorphic encryption scheme. We develop several new sub-protocols such as private maximum computation and optimal assignment protocols to construct the main protocol. We show that our protocols are secure against semi-honest adversaries. The asymptotic complexity of the protocol is $$O(n^5\ell \log ^*(\ell ))$$O(n5ℓlog∗(ℓ)) where $$\ell$$ℓ is the bit length of ring elements and n is the number of nodes in the graph.

Kalikinkar Mandal, Basel Alomair, Radha Poovendran

### Efficient Verifiable Computation of XOR for Biometric Authentication

This work addresses the security and privacy issues in remote biometric authentication by proposing an efficient mechanism to verify the correctness of the outsourced computation in such protocols. In particular, we propose an efficient verifiable computation of XORing encrypted messages using an XOR linear message authentication code (MAC) and we employ the proposed scheme to build a biometric authentication protocol. The proposed authentication protocol is both secure and privacy-preserving against malicious (as opposed to honest-but-curious) adversaries. Specifically, the use of the verifiable computation scheme together with an homomorphic encryption protects the privacy of biometric templates against malicious adversaries. Furthermore, in order to achieve unlinkability of authentication attempts, while keeping a low communication overhead, we show how to apply Oblivious RAM and biohashing to our protocol. We also provide a proof of security for the proposed solution. Our simulation results show that the proposed authentication protocol is efficient.

Aysajan Abidin, Abdelrahaman Aly, Enrique Argones Rúa, Aikaterini Mitrokotsa

### Verifiable Message-Locked Encryption

One of today’s main challenge related to cloud storage is to maintain the functionalities and the efficiency of customers’ and service providers’ usual environments, while protecting the confidentiality of sensitive data. Deduplication is one of those functionalities: it enables cloud storage providers to save a lot of memory by storing only once a file uploaded several times. But classical encryption blocks deduplication. One needs to use a “message-locked encryption” (MLE), which allows the detection of duplicates and the storage of only one encrypted file on the server, which can be decrypted by any owner of the file. However, in most existing scheme, a user can bypass this deduplication protocol. In this article, we provide servers verifiability for MLE schemes: the servers can verify that the ciphertexts are well-formed. This property that we formally define forces a customer to prove that she complied to the deduplication protocol, thus preventing her to deviate from the prescribed functionality of MLE. We call it deduplication consistency. To achieve this deduplication consistency, we provide (i) a generic transformation that applies to any MLE scheme and (ii) an ElGamal-based deduplication-consistent MLE, which is secure in the random oracle model.

Sébastien Canard, Fabien Laguillaumie, Marie Paindavoine

### Security of Online AE Schemes in RUP Setting

Authenticated encryption (AE) combines privacy with data integrity, and in the process of decryption, the plaintext is always kept until successful verification. But in applications with insufficient memory or with realtime requirement, release of unverified plaintext is unavoidable. Furthermore most of present online AE schemes claim to keep the unverified plaintext, leading to online encryption but offline decryption, which seems unreasonable for online applications. Thus, security of the releasing unverified plaintext (RUP) setting, especially for online AE scheme need to be taken seriously. The notion of plaintext awareness (PA) together with IND-CPA have been formalized to achieve privacy in RUP setting by Andreeva et al. in 2014. But notion of PA is too strong and conflicts to online property, namely no online AE scheme can be PA secure according to their results, leading PA to lose its practical significance. In this paper, we define a similar security notion OPA and combine OPA with OPRP-CPA (IND-CPA) to achieve privacy of online AE scheme in RUP setting, which solves the conflicts between PA and online property. And we analysis the relation between OPA and some other notions. Then we study OPA security of existing online AE schemes, and show OPA insecurity of Stream Structure and structures with the property of “controll ciphertext to jump between two plaintexts" (CCJP), which are adopted by most of schemes in the ongoing CAESAR competition. At last, combining the property CCJP with the simple tag-producing process, we look upon the INT-RUP insecurity of existing schemes from new different angle.

Jian Zhang, Wenling Wu

### An Efficient Entity Authentication Protocol with Enhanced Security and Privacy Properties

User authentication based on biometrics is getting an increasing attention. However, privacy concerns for biometric data have impeded the adoption of cloud-based services for biometric authentication. This paper proposes an efficient distributed two-factor authentication protocol that is privacy-preserving even in the presence of colluding internal adversaries. One of the authentication factors in our protocol is biometrics, and the other factor can be either knowledge-based or possession-based. The actors involved in our protocol are users, user/client devices with biometric sensors, service provider, and cloud for storing protected biometric templates. Contrary to the existing biometric authentication protocols that offer security only in the honest-but-curious adversarial model, our protocol provides enhanced security and privacy properties in the active (or malicious) adversarial model. Specifically, our protocol offers identity privacy, unlinkability, and user data (i.e., the biometric template data and the second factor) privacy against compromised cloud storage service, and preserves the privacy of the user data even if the cloud storage service colludes with the service provider. Moreover, our protocol only employs lightweight schemes and thus is efficient. The distributed model combined with the security and privacy properties of our protocol paves the way towards a new cloud-based business model for privacy-preserving authentication.

Aysajan Abidin, Enrique Argones Rúa, Bart Preneel

### Probabilistic Generation of Trapdoors: Reducing Information Leakage of Searchable Symmetric Encryption

Searchable symmetric encryption (SSE) enables a user to outsource a collection of encrypted documents in the cloud and to perform keyword searching without revealing information about the contents of the documents and queries. On the other hand, the information (called search pattern) whether or not the same keyword is searched in each query is always leaked in almost all previous schemes whose trapdoors are generated deterministically. Therefore, reducing the search pattern leakage is outside the scope of almost all previous works. In this paper, we tackle to the leakage problem of search pattern, and study methodology to reduce this leakage. Especially, we discuss that it might be possible to reduce the search pattern leakage in cases where a trapdoor does not match any encrypted document. We also point out that the same search pattern is leaked regardless of probabilistic or deterministic generation of trapdoors when the user searches using a keyword which has already searched and matched a certain encrypted document. Thus, we further aim to construct SSE schemes with fast “re-search” process, in addition to reducing the search pattern leakage. In order to achieve the above, we introduce a new technique “trapdoor locked encryption” which can extract a deterministic trapdoor from a probabilistic trapdoor, and then propose a new SSE scheme which can generate trapdoors probabilistically and reduce the search pattern leakage. Our scheme is constructed by applying our technique to the well-known and influential scheme SSE-2 (ACM CCS 2006) and can be proved secure in the standard model.

Kenichiro Hayasaka, Yutaka Kawai, Yoshihiro Koseki, Takato Hirano, Kazuo Ohta, Mitsugu Iwamoto

### AAL and Static Conflict Detection in Policy

Security and privacy requirements in ubiquitous systems need a sophisticated policy language with features to express access restrictions and obligations. Ubiquitous systems involve multiple actors owning sensitive data concerning aspects such as location, discrete and continuous time, multiple roles that can be shared among actors or evolve over time. Policy consistency is an important problem in languages supporting these aspects. In this paper we present an abstract language (AAL) to specify most of these security and privacy features and compare it with XACML. We also classified the existing conflict detection mechanisms for XACML in dynamic, testing, or static detection. A thorough analysis of these mechanisms reveals that they have several weaknesses and they are not applicable in our context. We advocate for a classic approach using the notion of logical consistency to detect conflicts in AAL.

Jean-Claude Royer, Anderson Santana De Oliveira

### Component-Oriented Access Control for Deployment of Application Services in Containerized Environments

With the advancements in multi-core CPU architectures, it is now possible for a server operating system (OS) such as Linux to handle a large number of concurrent application services on a single server instance. Individual service components of such services may run in different isolated environments, such as chrooted jails or application containers, and may need controlled access to system resources and the ability to collaborate and coordinate with each other in a regulated and secure manner. In an earlier work, we motivated the need for an access control framework that is based on the principle of least privilege for formulation, management, and enforcement of policies that allows controlled access to system resources and also permits controlled collaboration and coordination for service components deployed in disjoint containerized environments under a single OS instance. The current work provides a more in-depth treatment of secure inter-component communication in such environments. We show the policies needed for such communication and demonstrate how they can be enforced through a Linux Policy Machine that acts as the centralized reference monitor. The inter-component interaction occurs through the persistent layer using a tuple space abstraction. We implemented a tuple space library that provides operations on the tuple space. We present preliminary experimental results of its implementation that discuss the resource usage and performance.

Kirill Belyaev, Indrakshi Ray

### Generic Access Control System for Ad Hoc MCC and Fog Computing

The goal of this paper is to propose an approach based on DHT toward access control for ad hoc MCC and Fog computing. We rely on Chord DHTs to create a scalable, generic and robust access control solution. We use simulations to evaluate the performances of the proposal. We focus on a set of metrics to measure the overhead of the system. We considered a variable network size, a variable responsible nodes percentage and different hash function as simulation parameter. The obtained results show acceptable overhead for relatively average networks sizes. Simulations show that all the metrics increase with the nodes number and the number of responsible nodes.

Bilel Zaghdoudi, Hella Kaffel-Ben Ayed, Wafa Harizi

### SecReach: Secure Reachability Computation on Encrypted Location Check-in Data

Reachability, which answers whether one person is reachable from another through a sequence of contacts within a period of time, is of great importance in many domains such as social behavior analysis. Recently, with the prevalence of various location-based services (LBSs), a great amount of spatiotemporal location check-in data is generated by individual GPS-equipped mobile devices and collected by LBS companies, which stimulates research on reachability queries in these location check-in datasets. Meanwhile, a growing trend is for LBS companies to use scalable and cost-effective clouds to collect, store, and analyze data, which makes it necessary to encrypt location check-in data before outsourcing due to privacy concerns. In this paper, for the first time, we propose a scheme, SecReach, to securely evaluate reachability queries on encrypted location check-in data by using somewhat homomorphic encryption (SWHE). We prove that our scheme is secure against a semi-honest cloud server. We also present a proof-of-concept implementation using the state-of-the-art SWHE library (i.e., HElib), which shows the efficiency and feasibility of our scheme.

Hanyu Quan, Boyang Wang, Iraklis Leontiadis, Ming Li, Yuqing Zhang

### FHE Over the Integers and Modular Arithmetic Circuits

Fully homomorphic encryption (FHE) over the integers, as proposed by van Dijk et al. in 2010 and developed in a number of papers afterwards, originally supported the evaluation of Boolean circuits (i.e. mod-2 arithmetic circuits) only. It is easy to generalize the somewhat homomorphic versions of the corresponding schemes to support arithmetic operations modulo Q for any $$Q>2$$ Q>2, but bootstrapping those generalized variants into fully homomorphic schemes is not easy. Thus, Nuida and Kurosawa settled a significant open problem in 2015 by showing that one could in fact construct FHE over the integers with message space $${\mathbb Z}/Q{\mathbb Z}$$ Z/QZ for any constant prime Q.As a result of their work, we now have two different ways of homomorphically evaluating a mod-Q arithmetic circuit with an FHE scheme over the integers: one could either use their scheme with message space $${\mathbb Z}/Q{\mathbb Z}$$ Z/QZ directly, or one could first convert the arithmetic circuit to a Boolean one, and evaluate that converted circuit using an FHE scheme with binary message space. In this paper, we compare both approaches and show that the latter is often preferable to the former.

Eunkyung Kim, Mehdi Tibouchi

### An Efficient Somewhat Homomorphic Encryption Scheme Based on Factorization

Surprisingly, most of existing provably secure FHE or SWHE schemes are lattice-based constructions. It is legitimate to question whether there is a mysterious link between homomorphic encryptions and lattices. This paper can be seen as a first (partial) negative answer to this question. We propose a very simple private-key (partially) homomorphic encryption scheme whose security relies on factorization. This encryption scheme deals with a secret multivariate rational function $$\phi _D$$ϕD defined over $$\mathbb {Z}_n$$Zn, n being an RSA-modulus. An encryption of x is simply a vector c such that $$\phi _D(c)=x+\textsf {noise}$$ϕD(c)=x+noise. To get homomorphic properties, nonlinear operators are specifically developed. We first prove IND-CPA security in the generic ring model assuming the hardness of factoring. We then extend this model in order to integrate lattice-based cryptanalysis and we reduce the security of our scheme (in this extended model) to an algebraic condition. This condition is extensively discussed for several choices of parameters. Some of these choices lead to competitive performance with respect to other existing homomorphic encryptions. While quantum computers are not only dreams anymore, designing factorization-based cryptographic schemes might appear as irrelevant. But, it is important to notice that, in our scheme, the factorization of n is not required to decrypt. The factoring assumption simply ensures that solving nonlinear equations or finding non-null polynomials with many roots is difficult. Consequently, the ideas behind our construction could be re-used in rings satisfying these properties.

Gérald Gavin

### Efficient, XOR-Based, Ideal threshold Schemes

We propose a new, lightweight $$(t,n)-$$threshold secret sharing scheme that can be implemented using only XOR operations. Our scheme is based on an idea extracted from a patent application by Hewlett Packard that utilises error correction codes. Our scheme improves on the patent by requiring fewer randomly generated bits and by reducing the size of shares given to each player, thereby making the scheme ideal. We provide a security proof and efficiency analysis. We compare our scheme to existing schemes in the literature and show that our scheme is more efficient than other schemes, especially when t is large.

Liqun Chen, Thalia M. Laing, Keith M. Martin

### Efficient and Secure Multiparty Computations Using a Standard Deck of Playing Cards

It is known that secure multiparty computation can be performed using physical cards with identical backs, and numerous card-based cryptographic protocols have been proposed. Almost all existing protocols require multiple cards that have the same pattern on their face sides; thus, a standard deck of playing cards cannot be used for executing these protocols. However, there is one exception: Niemi and Renvall’s protocols, proposed in 1999, can be used with standard playing cards. In this paper, we continue their efforts to improve secure multiparty computation using a standard deck of playing cards, and propose efficient AND, XOR, and copy protocols that require significantly fewer shuffles compared to previous protocols.

Takaaki Mizuki

### Efficient Card-Based Cryptographic Protocols for Millionaires’ Problem Utilizing Private Permutations

We propose several efficient card-based cryptographic protocols for the millionaires’ problem by introducing a new operation called Private Permutation (PP) instead of the shuffle used in existing card-based cryptographic protocols. Shuffles are useful randomization techniques for designing card-based cryptographic protocols for logical gates, and this approach seems to be almost optimal. This fact, however, implies that there is room for improvements if we do not use logical gates as building blocks for secure computing, and we show that such an improvement is actually possible for the millionaires’ problem. Our key technique, PP, is a natural randomization operation for permuting a set of cards behind the player’s back, and hence, a shuffle can be decomposed into two PPs with one communication between them. Thus PP not only allows us to transform Yao’s seminal protocol into a card-based cryptographic protocol, but also enables us to propose entirely novel and efficient protocols by securely updating bitwise comparisons between two numbers. Furthermore, it is interesting to remark that one of the proposed protocols has a remarkably deep connection to the well-known logical puzzle known as “The fork in the road”.

Takeshi Nakai, Yuuki Tokushige, Yuto Misawa, Mitsugu Iwamoto, Kazuo Ohta

### Evaluation on Malware Classification by Session Sequence of Common Protocols

Recent malware is becoming sophisticated year by year. It often uses common protocols like HTTP to imitate normal communications. So, we have to consider activities in common protocols when we analyze malware. Meanwhile, the number of malware analysts is insufficient compared to new malware generation speed. To solve this problem, there is expectation to a malware classification method which classifies huge number malware with quickness and accurate. With this method, malware analysts can dedicate to the investigation of new types of malware. In this paper, we propose a malware classification method using Session Sequence of common protocols which classifies malware into new or existing one. Furthermore, if the malware is classified as existing malware, the proposed method also classifies it into existing malware families. We evaluated our proposed method with traffics of 502 malware samples. The experimental results shows that our method can correctly judge and classify in 84.5 % accuracy.

Shohei Hiruta, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura, Takeshi Yagi, Mitsuaki Akiyama

### An Efficient Approach to Detect TorrentLocker Ransomware in Computer Systems

TorrentLocker is a ransomware that encrypts sensitive data located on infected computer systems. Its creators aim to ransom the victims, if they want to retrieve their data. Unfortunately, antiviruses have difficulties to detect such polymorphic malware. In this paper, we propose a novel approach to detect online suspicious processes accessing a large number of files and encrypting them. Such a behavior corresponds to the classical scenario of a malicious ransomware. We show that the Kullback-Liebler divergence can be used to detect with high effectiveness whether a process transforms structured input files (such as JPEG files) into unstructured encrypted files, or not. We focus mainly on JPEG files since irreplaceable pictures represent in many cases the most valuable data on personal computers or smartphones.

Faustin Mbol, Jean-Marc Robert, Alireza Sadighian

### Detecting Malware Through Anti-analysis Signals - A Preliminary Study

Malware is often designed to make analysis difficult – behaving differently if it detects that it is in an analysis environment. We propose that such anti-analysis malware can be detected by their anti-analysis behavior in terms of certain signals. Signals form semantic features of potential anti-analysis techniques and are characterized as: weak, strong, or composite. We prototype a system to show the viability of detection. Experiments on malware and also non-malware show that both malware and non-malware can exhibit signals, however, anti-analysis malware tends to have more and stronger signals. We present the malware with an environment which behaves either like an analysis environment or not – we find anti-analysis malware behave differently in both cases. Normal programs, however, do not exhibit such behavior even when they have some weak signals. Signal detection is shown to have potential of distinguishing anti-analysis malware from non-malware.

Joash W. J. Tan, Roland H. C. Yap

### Attackers in Wireless Sensor Networks Will Be Neither Random Nor Jumping – Secrecy Amplification Case

Partially compromised network is a pragmatic assumption in many real-life scenarios. Secrecy amplification protocols provide a significant increase in the number of secure communication links by re-establishing new keys via different communication paths. Our paper shows that research in the area of secrecy amplification protocols for ad-hoc networks has been based on rather simplified foundations w. r. t. attacker models. The attacker does not behave randomly and different attacker capabilities and behaviour have to be considered. We provide means to experimental work with parametrisable attacker capabilities and behaviour in realistic simulations, and evaluate the impact of the realistic attacker properties on the performance of major amplification protocols (Full details, paper supplementary material and source codes can be found at http://crcs.cz/papers/cans2016.).We also show which secrecy amplification protocols perform best in different attacker settings and help to select a protocol that exhibits good results in a prevalent number of inspected scenarios.

Radim Ošťádal, Petr Švenda, Vashek Matyáš

### Improved Attacks on Extended Generalized Feistel Networks

In SAC 2013, Berger et al. defined Extended Generalized Feistel Networks (EGFN) and analyzed their security. They proposed designs with 8 or 16 branches. This class of schemes is well-suited for cryptographic applications. Using the minimal number of active S-boxes, the authors showed that for 64-bits messages divided into 8 branches, at least seven rounds are needed for security against differential and linear cyptanalysis. They proved that 10 rounds are required against integral attacks and 9 rounds against impossible differential attacks. In this paper, we propose a method that allows to attack up to 18 rounds the design with 8 branches. We also mention the results for the 16-branch design.

Valérie Nachef, Nicolas Marrière, Emmanuel Volte

### When Constant-Time Source Yields Variable-Time Binary: Exploiting Curve25519-donna Built with MSVC 2015

The elliptic curve Curve25519 has been presented as protected against state-of-the-art timing attacks [2]. This paper shows that a timing attack is still achievable against a particular X25519 implementation which follows the RFC 7748 requirements [10]. The attack allows the retrieval of the complete private key used in the ECDH protocol. This is achieved due to timing leakage during Montgomery ladder execution and relies on a conditional branch in the Windows runtime library 2015. The attack can be applied remotely.

Thierry Kaufmann, Hervé Pelletier, Serge Vaudenay, Karine Villegas

### On the Power of Public-key Function-Private Functional Encryption

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015]. Moreover, its power has not been well investigated. In this paper, we construct FPFE for general functions and explore its powerful applications, both for general and specific functionalities.As warmup, we construct from FPFE a natural generalization of a signature scheme endowed with functional properties, that we call functional anonymous signature (FAS) scheme. In a FAS, Alice can sign a circuit C chosen from some distribution D to get a signature $$\sigma$$σ and can publish a verification key that allows anybody holding a message m to verify that (1) $$\sigma$$σ is a valid signature of Alice for some (possibly unknown to him) circuit C and (2) $$C(m)=1$$C(m)=1. Beyond unforgeability the security of FAS guarantees that the signature $$\sigma$$σ hide as much information as possible about C except what can be inferred from knowledge of D.Then, we show that FPFE can be used to construct in a black-box way functional encryption schemes for randomized functionalities (RFE).As further application, we show that specific instantiations of FPFE can be used to achieve adaptively-secure CNF/DNF encryption for bounded degree formulae (BoolEnc). Though it was known how to implement BoolEnc from inner-product encryption (IPE) [Katz et al. - EUROCRYPT 2008], as already observed by Katz et al. this reduction only works for selective security and completely breaks down for adaptive security; however, we show that the reduction works if the IPE scheme is function-private.Finally, we present a general picture of the relations among all these related primitives. One key observation is that Attribute-based Encryption with function privacy implies FE, a notable fact that sheds light on the importance of the function privacy property for FE.

Vincenzo Iovino, Qiang Tang, Karol Żebrowski

### A New Technique for Compacting Secret Key in Attribute-Based Broadcast Encryption

Public-key encryption has been generalized to adapt to more and more practical applications. Broadcast encryption, introduced by Fiat and Naor in 1993, aims for applications in pay-TV or satellite transmission and allows a sender to securely send private messages to any subset of users, the target set. Sahai and Waters introduced Attribute-based Encryption (ABE) to define the target set in a more structural way via access policies on attributes. Attribute-based Broadcast Encryption (ABBE) combines the functionalities of both in an efficient way. In the relevant applications such as pay-TV, the users are given a relatively small device with very limited secure memory in a smartcard. Therefore, it is of high interest to construct schemes with compact secret key of users. Even though extensively studied in the recent years, it is still an open question of constructing an efficient ABBE with constant-size private keys for general forms of access policy such as CNF or DNF forms. This question was partially solved at ESORICS ’15 where Phuong et al. introduced a constant secret-key size ABBE. But they manage restrictive access policies only supporting AND-gates and wildcards. In this paper, we solve this open question and propose an efficient constant-size private key ciphertext-policy attribute-based broadcast encryption scheme for DNF form. In particular, we also present the optimization in implementing our proposed scheme.

Sébastien Canard, Duong Hieu Phan, Viet Cuong Trinh

### An Efficient Construction of Non-Interactive Secure Multiparty Computation

An important issue of secure multi-party computation (MPC) is to improve the efficiency of communication. Non-interactive MPC (NIMPC) introduced by Beimel et al. in Crypto 2014 completely avoids interaction in the information theoretical setting by allowing a correlated randomness setup where the parties get correlated random strings beforehand and locally compute their messages sent to an external output server. The goal of this paper is to reduce the communication complexity in terms of the size of random strings and messages. In this paper, we present an efficient construction of NIMPC, which is designed for arbitrary functions. In contrast to the previous NIMPC protocols, which separately compute each output bit, the proposed protocol simultaneously computes all output bits. As a result, the communication complexity of the proposed protocol is $$\frac{\lceil \log d \rceil \cdot L}{\lceil \log d\rceil +L}$$⌈logd⌉·L⌈logd⌉+L times smaller than that of the best known protocol where d and L denote the size of input domain and the output length. Thus, the proposed protocol is the most efficient if both input and output lengths are larger than two.

Satoshi Obana, Maki Yoshida

### An MPC-Based Privacy-Preserving Protocol for a Local Electricity Trading Market

This paper proposes a decentralised and privacy-preserving local electricity trading market. The market employs a bidding protocol based on secure multiparty computation and allows users to trade their excess electricity among themselves. The bid selection and trading price calculation are performed in a decentralised and privacy-preserving manner. We implemented the market in C++ and tested its performance with realistic data sets. Our simulation results show that the market tasks can be performed for 2500 bids in less than four minutes in the “online” phase, showing its feasibility for a typical electricity trading period.

Aysajan Abidin, Abdelrahaman Aly, Sara Cleemput, Mustafa A. Mustafa

### Implementation of Verified Set Operation Protocols Based on Bilinear Accumulators

This paper proposes an efficient protocol for verifiable delegation of computation over outsourced set collections. It improves state of the art protocols by using asymmetric bilinear pairing settings for improved performance with respect to previous proposals based on symmetric settings. Moreover, it extends update operations by supporting efficient modifications over multiple sets. With respect to previous work the proposed protocol has a modular design, that clearly identifies its main building blocks and well-defined interfaces among them. This novel conceptualization allows easier auditing of the protocol security properties and serves as the blueprint of a novel implementation that is released publicly (https://weblab.ing.unimore.it/people/ferretti/versop/). To the best of our knowledge, this is the first public implementation of a protocol for verifiable sets operations.

Luca Ferretti, Michele Colajanni, Mirco Marchetti

### Multi-core FPGA Implementation of ECC with Homogeneous Co-Z Coordinate Representation

Elliptic Curve Cryptography is gaining popularity, and optimization opportunities exist on several different levels: algorithm, architecture, and/or implementation. To support a wide variety of curves and at the same time resist timing/power-based side-channel attacks, our scalar multiplication is implemented using the Co-Z ladder due to Hutter, Joye, and Sierra. We analyze the parallelism of the Co-Z ladder and show that a 12-core (though inefficient) system can complete a ladder step with the fastest speed. We also combine optimizations at every level in an efficient multi-core FPGA implementation. The size of the prime modulus can also be changed easily, for which we have implemented and tested up to 528-bits used in the NIST P-521 curve. Based on this building block, we have developed a multi-core architecture that supports multiple parallel modular additions, multiplications, and inverses.

Bo-Yuan Peng, Yuan-Che Hsu, Yu-Jia Chen, Di-Chia Chueh, Chen-Mou Cheng, Bo-Yin Yang

### DNSSEC Misconfigurations in Popular Domains

DNSSEC was designed to protect the Domain Name System (DNS) against DNS cache poisoning and domain hijacking. When widely adopted, DNSSEC is expected to facilitate a multitude of future applications and systems, as well as security mechanisms, that would use the DNS for distribution of security tokens, such as, certificates, IP prefix authentication for routing security, anti-spam mechanisms. Multiple efforts are invested in adopting DNSSEC and in evaluating challenges towards its deployment.In this work we perform a study of errors and misconfigurations in signed domains. To that end, we develop a DNSSEC framework and a webpage for reporting the most up to date statistics and provide reports with vulnerabilities and misconfigurations. Our tool also supports retrieval of historical data and enables to perform long-term studies and observations of changes in the security landscape of DNS. We make our tool and the collected data available via an online webservice.

Tianxiang Dai, Haya Shulman, Michael Waidner

### Integral Privacy

When considering data provenance some problems arise from the need to safely handle provenance related functionality. If some modifications have to be performed in a data set due to provenance related requirements, e.g. remove data from a given user or source, this will affect not only the data itself but also all related models and aggregated information obtained from the data. This is specially aggravated when the data are protected using a privacy method (e.g. masking method), since modification in the data and the model can leak information originally protected by the privacy method. To be able to evaluate privacy related problems in data provenance we introduce the notion of integral privacy as compared to the well known definition of differential privacy.

Vicenç Torra, Guillermo Navarro-Arribas

### Sharing Is Caring, or Callous?

The practice of third-party applications (social apps) on social networks sites (SNSs) to collect information about users’ friends has raised awareness of the problem known as interdependent privacy. Although studies have quantified the value which app users place on their friends’ personal information, i.e., interdependent privacy value, few have investigated factors that affect the valuation of interdependent privacy. In particular, research indicates that social capital, which is an immaterial resource that can yield positive social outcomes, plays an important role in individuals’ decision-making. Motivated by these works, we study the complex and yet undetermined relationship between interdependent privacy value and social capital. In addition, in order to gain a thorough understanding of interdependent privacy valuation, our study also examines its relationships with factors such as app data collection context (i.e., whether or not data collection is relevant to app performance), individuals’ number of friends within SNSs, and demographics.

Yu Pu, Jens Grossklags

### Improving the Sphinx Mix Network

Secure mix networks consider the presence of multiple nodes that relay encrypted messages from one node to another in such a way that anonymous communication can be achieved. We consider the Sphinx mix formatting protocol by Danezis and Goldberg (IEEE Security and Privacy 2009), and analyze its use of symmetric-key cryptographic primitives. We scrutinize the reliance on multiple distinct primitives, as well as the use of the ancient LIONESS cipher, and suggest various paths towards improving the security and efficiency of the protocol.

Filipe Beato, Kimmo Halunen, Bart Mennink

### User Authentication from Mouse Movement Data Using SVM Classifier

This paper presents a robust user authentication system by gleaning raw mouse movement data. The data was collected using a publicly available tool called Recording User Input (RUI) from 23 subjects analyzed for three types of mouse actions - Mouse Move, Point-and-Click on Left or Right mouse button, and Drag-and-Drop. Samples are broken down to unit blocks comprising a certain number of actions and from each block seventy-four features are extracted to construct feature vectors. The proposed system was rigorously tested against public benchmark data. Experiment results generated by using the Support Vector Machine (SVM) classifier shows a False Rejection Rate (FRR) of 1.1594 % and a False Acceptance Rate (FAR) of 1.9053 % when the block size was set for 600 actions. After reducing dimensions using Principle Component Analysis (PCA), SVM classifier shows FRR of 1.2081 % and FAR of 2.3604 %. Compared with the existing methods based on mouse movements, our method shows significantly lower error rates, which we opine are viable enough to become an alternate to conventional authentication systems.

Bashira Akter Anima, Mahmood Jasim, Khandaker Abir Rahman, Adam Rulapaugh, Md Hasanuzzaman

### Distance Bounding Based on PUF

Distance Bounding (DB) is designed to mitigate relay attacks. This paper provides a complete study of the DB protocol of Kleber et al. based on Physical Unclonable Functions (PUFs). We contradict the claim that it resists to Terrorist Fraud (TF). We propose some slight modifications to increase the security of the protocol and formally prove TF-resistance, as well as resistance to Distance Fraud (DF), and Man-In-the-Middle attacks (MiM) which include relay attacks.

Mathilde Igier, Serge Vaudenay

### Denying Your Whereabouts: A Secure and Deniable Scheme for Location-Based Services

Location Based Services (LBS) is often used in applications that allow users to interact with the environment and query for the location of persons, objects and services. However, such systems may undermine user privacy since the frequent collection of location data may reveal considerable information about an individual’s daily habits and profile. In this work, we present our Deniable-LBS scheme which gives users the ability to deny being in a particular location even if this location has been monitored by an internal or external party.

Tassos Dimitriou, Naser Al-Ibrahim

### Range Query Integrity in Cloud Data Streams with Efficient Insertion

Cloud computing provides users with the possibility to store their data in third-party servers. These data centers may be untrusted or susceptible to attacks, hence they could return compromised query results once interrogated. Query integrity has been widely investigated in the literature, and a number of methods have been proposed to allow users to verify that query results are complete (i.e., no qualifying tuples are omitted), fresh (i.e., the newest version of the results are returned), and correct (i.e., the result values are not corrupted). In this paper, we identify a specific scenario in which classical techniques for query integrity appear little suitable and we propose a new solution to overcome these drawbacks. The scenario considered, instantiated in a realistic video surveillance setting, is that of data streams in which append operations and range queries are dominant, and the efficiency is a critical factor.

Francesco Buccafurri, Gianluca Lax, Serena Nicolazzo, Antonino Nocera

### Vulnerability Analysis Using Google and Shodan

There is a continuously increasing number of attacks on publicly available systems in the internet. This requires an intensified consideration of security issues and vulnerabilities of IT systems by security responsibles and service providers. Beside classical methods and tools for penetration testing, there exist additional approaches using publicly available search engines. In this paper we present an alternative approach for vulnerability analysis with both classical as well as subject-specific engines. Based on an extension and combination of their functionality, this approach provides a method for obtaining promising results for audits of IT systems, both quantitatively and qualitatively.

Kai Simon

### Language-Based Hypervisors

We describe how to build a Language-Based Hypervisor (LBH) that can run untrusted applications (or modules) inside secure containers within a single language runtime instance. The LBH allows execution of untrusted code at a fine-grained level while controlling access to APIs, data, and resources. The LBH and untrusted applications are written in the same language and run together as one process on top of a single language interpreter or runtime. We use JavaScript as an example and describe how LBH can be implemented at the language level without modification to the runtime itself.

Enrico Budianto, Richard Chow, Jonathan Ding, Michael McCool

### Internet Censorship in Italy: A First Look at 3G/4G Networks

The techniques used to enforce Internet Censorship vary, and as a consequence the users can experience different results while accessing the same censored content in different contexts. While the corpus of Internet censorship studies is growing, to the best of our knowledge we are the first to focus on censorship detection on 3G/4G (hereafter mobile) network operators. After an introduction on the censorship detection platform and tests we adopted, we report the preliminary results of an experimental campaign we performed in Italy using the five major mobile operators. Our analysis shows that there is no homogeneity of treatment for a censored resource across different mobile operators, with 99.5 % of resources showing at least two different treatments, and the pairs of operators differing in the treatment of 32.5 % up to 99.5 % of censored resources. These results have significance regarding the transparency and precision of censorship, and the possibilities for circumvention and detection strategies.

Giuseppe Aceto, Antonio Montieri, Antonio Pescapè

### A Privacy-Preserving Model for Biometric Fusion

Biometric designs have attracted attention in practical technological schemes with high requirements in terms of accuracy, security and privacy. Nevertheless, multimodalities have been approached with skepticism, as fusion deployments are affected by performance metrics. In this paper, we introduce a basic fusion model blueprint for a privacy-preserving cloud-based user verification/authentication. We consider the case of three modalities, permanently “located” in different databases of semi-honest providers, being combined according to their strength performance parameters, in a user-specific weighted score level fusion. Secure multiparty computation techniques are utilized for protecting confidentiality and privacy among the parties.

Christina-Angeliki Toli, Abdelrahaman Aly, Bart Preneel

### Hybrid WBC: Secure and Efficient White-Box Encryption Schemes

White-box cryptography aims at providing security against an adversary that has access to the encryption process. Numerous white-box encryption schemes were proposed since the introduction of white-box cryptography by Chow et al. in 2002. However, most of them are slow, and thus, can be used in practice only to protect very small amounts of information, such as encryption keys.In this extended abstract we present a new threat model for white-box cryptography which corresponds to the practical abilities of the adversary in a wide range of applications. Furthermore, we study design criteria for white-box primitives that are important from the industry point of view. Finally, we propose a class of new primitives that combine a white-box algorithm with a standard block cipher to obtain white-box protection for encrypting long messages, with high security and reasonable performance.

Jihoon Cho, Kyu Young Choi, Orr Dunkelman, Nathan Keller, Dukjae Moon, Aviya Vaidberg

### Moving in Next Door: Network Flooding as a Side Channel in Cloud Environments

Co-locating multiple tenants’ virtual machines (VMs) on the same host underpins public clouds’ affordability, but sharing physical hardware also exposes consumer VMs to side channel attacks from adversarial co-residents. We demonstrate passive bandwidth measurement to perform traffic analysis attacks on co-located VMs. Our attacks do not assume a privileged position in the network or require any communication between adversarial and victim VMs. Using a single feature in the observed bandwidth data, our algorithm can identify which of 3 potential YouTube videos a co-resident VM streamed with 66 % accuracy. We discuss defense from both a cloud provider’s and a consumer’s perspective, showing that effective defense is difficult to achieve without costly under-utilization on the part of the cloud provider or over-utilization on the part of the consumer.

Yatharth Agarwal, Vishnu Murale, Jason Hennessey, Kyle Hogan, Mayank Varia

### Backmatter

Weitere Informationen

## BranchenIndex Online

Die B2B-Firmensuche für Industrie und Wirtschaft: Kostenfrei in Firmenprofilen nach Lieferanten, Herstellern, Dienstleistern und Händlern recherchieren.

## Whitepaper

- ANZEIGE -

### Best Practices für die Mitarbeiter-Partizipation in der Produktentwicklung

Unternehmen haben das Innovationspotenzial der eigenen Mitarbeiter auch außerhalb der F&E-Abteilung erkannt. Viele Initiativen zur Partizipation scheitern in der Praxis jedoch häufig. Lesen Sie hier  - basierend auf einer qualitativ-explorativen Expertenstudie - mehr über die wesentlichen Problemfelder der mitarbeiterzentrierten Produktentwicklung und profitieren Sie von konkreten Handlungsempfehlungen aus der Praxis.